A solutions architect must allow team members to access S3 buckets in two AWS accounts: development and production. Team members already use unique IAM users in the development account and belong to an IAM group with permissions. The solutions architect created an IAM role in the production account that grants access to the production S3 bucket. Which solution meets the requirements while following least privilege?
Choose an answer
Tap an option to check your answer.
Correct answer: Add the development account as a principal in the trust policy of the role in the production account..
Why this is the answer
Adding the development account as a principal in the trust policy of the role in the production account allows users from the development account to assume the production role. This is a secure, least-privilege approach for cross-account access, as it leverages existing IAM users and groups without creating new credentials. The production role's permissions can then be scoped precisely to the S3 bucket, adhering to least privilege. Attaching Administrator Access is overly permissive. Turning off S3 Block Public Access is a security risk and unrelated to cross-account IAM. Creating new users in the production account for each team member is cumbersome, violates the principle of using existing identities, and creates an unnecessary management overhead.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed